Description
An Improper Check for Unusual or Exceptional Conditions vulnerability in the packet forwarding engine (pfe) of Juniper Networks Junos OS on MX Series allows an unauthenticated, network-based attacker to bypass the configured firewall filter and access the control-plane of the device.

On MX platforms with

MPC10, MPC11, LC4800 or LC9600

line cards, and MX304, firewall filters applied on a loopback interface lo0.n (where n is a non-0 number) don't get executed when lo0.n is in the global VRF / default routing-instance.

An affected configuration would be:

user@host# show configuration interfaces lo0 | display set
set interfaces lo0 unit 1 family inet filter input <filter-name>

where a firewall filter is applied to a non-0 loopback interface, but that loopback interface is not referred to in any routing-instance (RI) configuration, which implies that it's used in the default RI.

The issue can be observed with the CLI command:

user@device> show firewall counter filter <filter_name>

not showing any matches.

This issue affects Junos OS on MX Series:

* all versions before 23.2R2-S6,
* 23.4 versions before 23.4R2-S7,
* 24.2 versions before 24.2R2,
* 24.4 versions before 24.4R2.
Published: 2026-04-09
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Control‑plane bypass via firewall filter omission
Action: Apply Patch
AI Analysis

Impact

An improper check in the packet forwarding engine of Juniper Networks Junos OS on MX Series routers allows an unauthenticated, network‑based attacker to bypass firewall filters applied to non‑zero loopback interfaces (lo0.n, n≠0) that reside in the default routing instance. The filter is never executed, enabling traffic destined for the control‑plane to reach the device without restriction. This flaw, classified as CWE‑754, effectively removes a critical access‑control barrier.

Affected Systems

The vulnerability affects Junipers’ MX Series routers with MPC10, MPC11, LC4800, LC9600 line‑cards, and MX304. All Junos OS releases before 23.2R2‑S6, before 23.4R2‑S7, before 24.2R2, and before 24.4R2 are susceptible. It occurs when a firewall filter is attached to a lo0 unit that is not referenced in any routing‑instance configuration, meaning it is placed in the default routing instance.

Risk and Exploitability

With a CVSS score of 6.9 and no EPSS data, the flaw is considered medium severity. Attackers need only network access to send traffic to the misconfigured lo0.n interface and do not require authentication, making exploitation straightforward for a nearby adversary. Since the control‑plane is exposed, an attacker could potentially access management interfaces or extract sensitive configuration if the device hosts critical network functions. The vulnerability is not listed in the CISA KEV catalog, but its impact warrants prompt remediation.

Generated by OpenCVE AI on April 9, 2026 at 23:52 UTC.

Remediation

Vendor Solution

The following software releases have been updated to resolve this specific issue: 23.2R2-S6, 23.4R2-S7, 24.2R2, 24.4R2, 25.2R1, and all subsequent releases.

Vendor Workaround

Renaming the lo0 logical unit used in the default routing instance from non-0 to 0 resolves this issue.

OpenCVE Recommended Actions

  • Upgrade Junos OS to at least 23.2R2‑S6, 23.4R2‑S7, 24.2R2, 24.4R2, 25.2R1, or any later release
  • Rename any lo0.<n> (n≠0) loopback interface used in the default routing instance to lo0.0 to trigger firewall filter enforcement
  • Verify that firewall filter counters reflect activity on the lo0 interface to confirm the filter is now applied

Generated by OpenCVE AI on April 9, 2026 at 23:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

References
Link Providers
https://kb.juniper.net/JSA107865 cve-icon cve-icon
History

Fri, 10 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 10 Apr 2026 09:00:00 +0000

Type Values Removed Values Added
First Time appeared Juniper Networks
Juniper Networks junos Os
Vendors & Products Juniper Networks
Juniper Networks junos Os

Thu, 09 Apr 2026 22:00:00 +0000

Type Values Removed Values Added
Description An Improper Check for Unusual or Exceptional Conditions vulnerability in the packet forwarding engine (pfe) of Juniper Networks Junos OS on MX Series allows an unauthenticated, network-based attacker to bypass the configured firewall filter and access the control-plane of the device. On MX platforms with MPC10, MPC11, LC4800 or LC9600 line cards, and MX304, firewall filters applied on a loopback interface lo0.n (where n is a non-0 number) don't get executed when lo0.n is in the global VRF / default routing-instance. An affected configuration would be: user@host# show configuration interfaces lo0 | display set set interfaces lo0 unit 1 family inet filter input <filter-name> where a firewall filter is applied to a non-0 loopback interface, but that loopback interface is not referred to in any routing-instance (RI) configuration, which implies that it's used in the default RI. The issue can be observed with the CLI command: user@device> show firewall counter filter <filter_name> not showing any matches. This issue affects Junos OS on MX Series: * all versions before 23.2R2-S6, * 23.4 versions before 23.4R2-S7, * 24.2 versions before 24.2R2, * 24.4 versions before 24.4R2.
Title Junos OS: MX Series: Firewall filters on lo0.<non-0> in the default routing instance are not in effect
Weaknesses CWE-754
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N'}

cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/AU:Y/R:U/RE:L'}

Subscriptions

Juniper Networks Junos Os
cve-icon MITRE

Status: PUBLISHED

Assigner: juniper

Published:

Updated: 2026-04-10T14:14:24.774Z

Reserved: 2026-03-23T19:46:13.668Z

Link: CVE-2026-33774

cve-icon Vulnrichment

Updated: 2026-04-10T14:14:16.212Z

cve-icon NVD

Status : Received

Published: 2026-04-09T22:16:25.803

Modified: 2026-04-09T22:16:25.803

Link: CVE-2026-33774

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-10T09:27:55Z

Weaknesses